Apple patches Pwn2Own exploit in Mac OS X

Apple patched a hole in its operating system that was first discovered at this …

Apple issued Security Update 2010-003 on Wednesday afternoon for Mac OS X v.10.5.8 client and server, as well as Mac OS X v.10.6.3 client and server. The updates address an issue in the way Apple Type Services handles embedded fonts, preventing the “arbitrary execution of code” after a document is viewed or downloaded. Complete details about the update are available in the support section of Apple’s website.

Apple confirmed that the exploit was none other than the one that was discovered on the first day of the Pwn2Own contest that we reported on last month. The event marked the third year in a row in which security researcher Charlie Miller was able to compromise a Mac running OS X. At the time, many believed the hack exploited an issue in Safari but, as we discovered today, the problem stemmed from the Apple Type Services that Safari makes use of.

With this update, Apple has effectively patched half of the exploits found during this year's Pwn2Own. Still, Apple has yet to patch an iPhone vulnerability discovered by Vincenzo Iozzo and Ralf Philipp Weinmann, which allows undesired access to text messages in the iPhone OS.

36 Reader Comments

I don't want to be pedantic or anything, well actually, I do... The exploit was not "discovered" on the first day of the Pwn2Own, it was revealed then. Charlie had discovered it some time earlier and used it to win his Mac.

I don't want to be pedantic or anything, well actually, I do... The exploit was not "discovered" on the first day of the Pwn2Own, it was revealed then. Charlie had discovered it some time earlier and used it to win his Mac.

I just wonder how many others he is sitting on so he win more competitions and gain more notoriety. I understand that Apple should be finding these venerability's but they can't find all, it's just not possible. Surely if people like Charlie Miller were acting responsibly they would alert Apple to the venerability's immediately so they could be patched before some criminal element finds them; not just hold on to them for their own benefit.

I understand that Apple should be finding these venerability's but they can't find all, it's just not possible.

At terrible risk of instigating a flame war, it sure would be nice if anyone cut Microsoft that kinda slack.

Maybe if they permanently disable Active X? Make it a forced patch on XP and IE6, and corporations would have to upgrade their crappy internal apps overnight. Good times.

But you have to wonder; why is Charlie Miller so much better at fuzzing than Apple is? I heard somewhere (I think it was Ars) that he said he was happy to show Apple et al how he does his fuzzing, I hope they take him up on the offer.

Surely if people like Charlie Miller were acting responsibly they would alert Apple to the venerability's immediately so they could be patched before some criminal element finds them; not just hold on to them for their own benefit.

Doesn't Apple have a practice of never releasing any info on an exploit until they release a patch?

I'm not sure there is a company that can find all exploits for their product. A little outside help and public release of the bug (not the entire exploit) always seems to rush things into being patched. (unless you are Adobe)

Surely if people like Charlie Miller were acting responsibly they would alert Apple to the venerability's immediately so they could be patched before some criminal element finds them; not just hold on to them for their own benefit.

Why should he do a lot of hard work for their benefit? He doesn't release his findings into the wild. From a recent interview:

Quote:

xyberpix: You started the No More Free Bugs Movement, what was/is your reasoning behind this, and have you had much success with selling vulnerabilities/exploits to the vendors? Would you say that the vendors are reacting positively or negatively to this?

0xcharlie: The idea was that finding bugs is hard work. Big vendors have teams of researchers and QA people who are paid lots of money to find bugs. So, on the rare event one slips by and puts their users at risk, vendors should be falling all over themselves to get this information and get fixes available for their customers. Instead, they expect researchers to give them the bugs, deal with them, convince them the bugs are real, provide POC’s, take legal liability, etc and all for charity. Well, as a professional consultant, I get paid to find bugs by our customers, so I started to wonder why my customers paid me and for the same work, vendors don’t.

As for what’s come out of it, hopefully researchers have begun to ask this question too. I’d like to think I’ve helped ZDI to get more researchers participating, although I don’t know for sure. Vendors pretty much ignore the whole NMFB’smovement. They only care about their bottom line and NMFB doesn’t affect it. The only positive thing I’ve seen is someone from Mozilla recently said they were thinking of raising their bug bounty from $500 and wanted to know what I thought was a fair amount. That made me happy. Besides Mozilla, I’ve never heard of anyone who sold a bug to a vendor, although Chrome offers a program.

But you have to wonder; why is Charlie Miller so much better at fuzzing than Apple is? I heard somewhere (I think it was Ars) that he said he was happy to show Apple et al how he does his fuzzing, I hope they take him up on the offer.

Yes, he has offered to consult with Apple's security engineers, and I agree it would be wise of them to do so. Miller does, however, report potential exploits to Apple. This isn't the first time he's been credited in a security update.

I understand that Apple should be finding these venerability's but they can't find all, it's just not possible.

At terrible risk of instigating a flame war, it sure would be nice if anyone cut Microsoft that kinda slack.

Maybe if they permanently disable Active X? Make it a forced patch on XP and IE6, and corporations would have to upgrade their crappy internal apps overnight. Good times.

But you have to wonder; why is Charlie Miller so much better at fuzzing than Apple is? I heard somewhere (I think it was Ars) that he said he was happy to show Apple et al how he does his fuzzing, I hope they take him up on the offer.

My guess is that until they start having problems its just not their top priority. Just go out on street and ask people who is more secure apple or Microsoft, 99% of the people are going to say apple. As long that stays that way they don't have anything really pressing them to really put the extra work in.

I just wonder how many others he is sitting on so he win more competitions and gain more notoriety. I understand that Apple should be finding these venerability's but they can't find all, it's just not possible. Surely if people like Charlie Miller were acting responsibly they would alert Apple to the venerability's immediately so they could be patched before some criminal element finds them; not just hold on to them for their own benefit.

I can't answer for him, but there could be many reasons - freedom to pursue what he wants, ability to legally escalate issues, etc. Being under legal obligations to a company can very much limit your ability to release information about exploits, and if you disagreed about the priorities given different problems, you would be left with very little recourse. He might not want to have to meet with others regularly. The number of purely reasonable answers is gigantic, and he's a person, so less-reasonable ones might come into play too!

ksgant wrote:

But there's no system out there that's immune to a trojan horse, since it mainly exploits the gullibility of the user and not the system.

True only to a limited degree. Some systems make it harder to hide the nature of a trojan. Some have more fine grained roles, so that the trust extended by a user doesn't lead to a fully compromised system. Some limit the capabilities of all but a subset of executables, regardless of those of the user.

Fundamentally, you're right - something must be able to install a system at some point, for instance - but that's no excuse for not improving behavior. Things can be tightened to such a degree that a trojan isn't trivial, or even reasonable.

I believe it is still true that there are no viruses for Mac OS X yet discovered; but a few malicious trojan horse type of exploits have been released.

But there's no system out there that's immune to a trojan horse, since it mainly exploits the gullibility of the user and not the system.

True, not immune but Apple has mapped the 3 trojan's for the Mac and will not let them be installed on to a system and they can add to that list through the automated update utility. This further discourages people from attacking OS X. The reason 99% of people think that OS X is more secure than Windows is because 1% are wrong. This doesn't not mean that there are no hole in OS X or even that there are fewer holes. But that it is harder to effectively exploit the Mac. This is because Mac users as a whole trust Apple and do regular updates. The mac OS file system (thanks to unix permissions) is set up to protect critical files. The number of people who can be effected is fewer, so it is harder to reach a critical mass of people. And Apple is employing similar measures to the ones provided by both Microsoft and Virus vendors, within the OS so that all users have access to them.

Contrast that with the throngs of Windows users who are poorly patched running code written upwards of a decade ago!

There's a bit of a problem with this patch. The Apple document for the patch says all 10.5 and all 10.6 systems are affected; whereas the originating CVE document for the vulnerability says *only* 10.6 AND *only* Safari 4.0.

There's no explanation I could find for the discrepancy. So: are 10.5 systems really affected? Are systems not running Safari really affected?

Apple mentions the CVE document to bolster its own documentation, but in so doing raises these questions. Shoddy.

But that it is harder to effectively exploit the Mac. This is because Mac users as a whole trust Apple and do regular updates.

I'm not sure about the doing regular updates part more than Windows users.

Quote:

The mac OS file system (thanks to unix permissions) is set up to protect critical files.

OK.

Quote:

The number of people who can be effected is fewer, so it is harder to reach a critical mass of people.

I think this is the most important answer. When Jobs came back to Apple in the 1990s, he realized that the Mac would never be the dominant OS. And Apple isn't even trying to change that. They would be satisfied with about 10% US OS market share and about 5% worldwide at higher profit margins. - But this lower OS market share is an advantage and Apple knows it. Malware "vendors" (trying to be polite here) don't want to buy Macs to code Mac malware and they want to reach as many potential “customers” as possible. And that is why imo almost all malware is written for Windows.

True, not immune but Apple has mapped the 3 trojan's for the Mac and will not let them be installed on to a system and they can add to that list through the automated update utility. This further discourages people from attacking OS X.

And how quickly will they react to new threats? Considering that they've shipped known vulnerable Flash, Java and other software in the past.

Puggsly wrote:

The reason 99% of people think that OS X is more secure than Windows is because 1% are wrong. This doesn't not mean that there are no hole in OS X or even that there are fewer holes. But that it is harder to effectively exploit the Mac. This is because Mac users as a whole trust Apple and do regular updates.

Do you know anything about exploiting software? Perhaps you'd like to explain why it's harder to exploit? And what makes you so sure that everyone updates regularly?

Puggsly wrote:

The mac OS file system (thanks to unix permissions) is set up to protect critical files. The number of people who can be effected is fewer, so it is harder to reach a critical mass of people. And Apple is employing similar measures to the ones provided by both Microsoft and Virus vendors, within the OS so that all users have access to them.

Windows has had a finer grained permissions than Unix since the NT days. MAC frameworks like SELinux can augment Unix permissions. Again, this malware protection is new to Snow Leopard and Apple have no track record in responding robustly to malware. There simply haven't been any credible attempts to exploit Mac OS X so we'll just have to wait and see. One thing that is certain is that the small user base makes Mac OS extremely unattractive to a malware developer.

Puggsly wrote:

Contrast that with the throngs of Windows users who are poorly patched running code written upwards of a decade ago!

Where do you get the idea that old code is any worse than modern code? If anything, it's more likely to be proven. Besides, Mac OS X contains code much older than ten years (e.g. BSD code).

Don't get me wrong, I love Mac OS X. But I'm not under the delusion that it is very secure. I have very little confidence in Apple's ability to take security seriously. Charlie Miller himself has stated that he goes for the Mac because it's easier to hit than Windows since they started taking security seriously.

Windows has had a finer grained permissions than Unix since the NT days. MAC frameworks like SELinux can augment Unix permissions.

This isn't really true... many UNIXes have had fine grained access control lists and the like for a long time - e.g. Solaris has had this since around 1995.

Sure. I was referring to standard POSIX file permissions, rather than a specific Unix implementation. I should have made that clear. My point was that Windows had fine-grained ACLs long before Mac OS X (implemented in 10.4). Doesn't seem to stop people claiming that POSIX file permissions are more comprehensive than Windows.

Anyway, using Mac OS X or Linux is like living in a nice neighbourhood. Your house isn't harder to break into, but there are fewer people trying.

I believe it is still true that there are no viruses for Mac OS X yet discovered; but a few malicious trojan horse type of exploits have been released.

But there's no system out there that's immune to a trojan horse, since it mainly exploits the gullibility of the user and not the system.

True, not immune but Apple has mapped the 3 trojan's for the Mac and will not let them be installed on to a system and they can add to that list through the automated update utility. This further discourages people from attacking OS X. The reason 99% of people think that OS X is more secure than Windows is because 1% are wrong. This doesn't not mean that there are no hole in OS X or even that there are fewer holes. But that it is harder to effectively exploit the Mac. This is because Mac users as a whole trust Apple and do regular updates. The mac OS file system (thanks to unix permissions) is set up to protect critical files. The number of people who can be effected is fewer, so it is harder to reach a critical mass of people. And Apple is employing similar measures to the ones provided by both Microsoft and Virus vendors, within the OS so that all users have access to them. Contrast that with the throngs of Windows users who are poorly patched running code written upwards of a decade ago!

Your post is fucking retarded. Let’s look at it.

Quote:

True, not immune but Apple has mapped the 3 trojan's for the Mac and will not let them be installed on to a system and they can add to that list through the automated update utility.

The reason 99% of people think that OS X is more secure than Windows is because 1% are wrong.

And how do you quantify that? Did you own a PC, fuck it up yourself, then move to an Apple appliance and stay out of trouble? I’m a PC (gamer, developer, enthusiast), and I’ve been trouble free for decades. DECADES.

Quote:

This doesn't not mean that there are no hole in OS X or even that there are fewer holes. But that it is harder to effectively exploit the Mac.

You are joking, right? Rewrite that so it makes sense.

Quote:

This is because Mac users as a whole trust Apple and do regular updates.